Re: [sqlmap-users] How to avoid union filter?
Brought to you by:
inquisb
From: Malek T. <pag...@gm...> - 2010-04-25 22:31:26
|
hello type of filter is: the server is filtering for something like information_schema.tables its filtered @@version() is filtered but version() is not user() is not filtered i could get the user name and the db name database() is not filtered select is filtered but i could bypass it by puting the comment /**/ before and after select and it work but i couldnt get the table names cuz of filtering information_schema.tables i couldnt recognize how this filter works so is there any way to bypass something like information_schema.tables i used CHAR() like CHAR(69,6e,66,6f,72,6d,61,74,69,6f,6e,5f,73,63,68,65,6d,61,2e,74,61,62,6c,65,73) but it didnt work too 2010/4/22 Ignacio Hernández <nac...@gm...> > Some times you can bypass some bad implemented IDS/WAF who looks for > specific words like "union", "select" or "from" like David sais in other > ways, for example: > http://www.site.com/vuln.php?id=323/**/union/**/all/**/select/**/... > (replacing spaces by /**/) > or: > http://www.site.com/vuln.php?id=323 UnIoN aLl SeLeCt... (randomly > uppercase/lowercase key words, some ids/waf only looks for "union" or > "UNION" but not for "UnIoN") > > Also i think the sqlmap developpers are working on more sophisticated > bypass techniques. > > 2010/4/22 David Guimaraes <sk...@gm...> > > What type of filter is used? It removes certain words and executes the >> query, or simply does not run anything at all? >> >> I've came across a filter that removed certain words of parameters passed >> by users, such as UNION, SELECT, DROP, ALTER, UPDATE, and comments like "--" >> or "/*". >> >> To get around, I used this: >> >> http://www.site.com/vuln.php?id=323 UN--ION A--LL SELE--CT 1,2,3 FRO--M >> table >> >> The query was filtered 1x and resulted in the following expression: >> >> http://www.site.com/vuln.php?id=323 UNION ALL SELECT 1,2,3 FROM table >> >> >> Hope this help. =) >> >> >> On Thu, Apr 22, 2010 at 2:01 PM, Pagera <pag...@gm...> wrote: >> >>> hello >>> >>> is there anyway to avoid server filter ? like filtering union or select >>> in the URL? >>> >>> coz sqlmap seems doesnt work when there is a filtering >>> >>> thankx >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> David Gomes Guimarães >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > |